System and method for identifying design efficiency and effectiveness parameters for verifying properties of a circuit model
The present invention is directed to a system and a method for verifying properties of a circuit model while providing information to help the user manually modify a design analysis region and/or environmental constraints. While conventional systems attempt to substantially automate the entire formal verification process, the present invention iteratively provides information to the user about the cost and effect of changes to the environmental constraints and the analysis region. This information enables the user to weigh the effectiveness and efficiency of one or more modifications to the design analysis area and/or to the environmental constraints (assumptions). The information provided to the user can help a user compare a variety of alternative modifications in order to select the modifications that are efficient and effective. In addition, the information can provide alternatives along with the cost and effect of each alternative to the user who otherwise did not identify these alternatives, thus the invention can help the user by identifying suggestions that the user may not have otherwise considered. The present invention then receives information from the user to modify the design analysis area and/or the environmental constraints and will analyze the design with these modified parameters.
Latest Jasper Design Automation Patents:
This application is a continuation-in-part of U.S. patent application Ser. No. 10/389,316, filed on Mar. 14, 2003 by Vigyan Singhal and Joseph E. Higgins, which claims priority to U.S. provisional application No. 60/377,392, filed on May 3, 2002 by Vigyan Singhal and Joseph E. Higgins which are incorporated by reference herein in their entirety.
This application is also related to U.S. patent application Ser. No. 10/736,826 filed on Dec. 15, 2003 by Chung-Wah Norris Ip, Lawrence Loh, Vigyan Singhal, and Howard Wong-Toi, entitled “Managing Formal Verification Complexity of Designs with Counters” and U.S. patent application Ser. No. 10/606,419 filed on Jun. 26, 2003 by Chung-Wah Norris Ip, Vigyan Singhal, Joseph E. Higgins, and Howard Wong-Toi, and U.S. patent application Ser. No. 10/401,315, filed on Mar. 27, 2003 by Vigyan Singhal, Joseph E. Higgins, and Alok N. Singh, which are all incorporated by reference herein in their entirety.
BACKGROUNDThe present invention relates generally to the field of functional verification of digital circuit designs. More specifically, the present invention relates to the field of formal verification of a digital circuit design and verifying the behavior of a circuit model to satisfy specified properties.
Recent increases in the complexity of modern integrated circuits have exacerbated the difficulty of verifying design correctness. The verification phase of a typical integrated circuit design project consumes approximately 70–80% of the total time and resources dedicated to a project. Flaws in the design that are not found during the verification phase have significant economic impact in terms of increased time-to-market and reduced profit margins.
A typical design flow for integrated circuit design includes many steps that proceed sequentially, with each step depending on the results of the previous steps. Consequently, when a flaw is discovered in a step, all the previous steps must be repeated, often at a significant cost. Hence, it is highly desirable to find and fix design flaws as early as possible in a design flow.
Traditionally, simulation-based techniques have been used to verify design correctness. Transistor-level simulation based techniques were used in the early 1970s and logic gate-level simulation based techniques were used in the late 1980s. As the complexity of designs increased with the passage of time, drawbacks associated with these techniques came into light. These techniques became less effective because of their inability to completely and quickly verify large designs. A popular alternative is the use of Register Transfer Language (RTL)-level simulation. Contemporary verification and debugging tools use various levels of abstractions for defining design specifications. These abstractions are expressed in high-level description languages. High-level description languages provide a number of functionalities for analyzing and verifying a design while performing simulation. For example, a designer can navigate the design hierarchy, view the RTL source code, and set breakpoints on a statement of an RTL source code to stop the simulation. Also, line numbers are provided in the RTL source code to identify different lines and statements. Further, the verification and debugging tools often support viewing and tracing variables and some times even signal values. These RTL-level simulation tools typically also offer these and other types of RTL debugging functionalities.
The verification tools as mentioned above typically follow a design flow. In the first step of the design flow, the conceptual nature of the integrated circuit is determined. The desired functionality of a circuit is expressed as a collection of properties or specifications, and possibly as a model of the behavior in a high-level language such as C++. The RTL model of the digital circuit is built based upon knowledge of the specifications or the high-level model. The RTL model is expressed in a hardware description language (HDL) such as Verilog available from Cadence Design Systems, Inc. of Santa Clara, Calif. or VHDL available from IEEE of New York, N.Y. Many other steps such as synthesis, timing optimization, clock tree insertion, place and route, etc., yield subsequent transformations of the design. These transformations eventually result in a set of masks that are fabricated into integrated circuits. The current invention is targeted at finding design flaws in the RTL model of the design, which is a very early phase of the design flow.
In the design flow, creation of RTL source code is followed by verification in order to check the compliance of the RTL source code to the design specifications. Three approaches commonly used to verify the design at the RTL level are simulation, emulation and formal methods.
Simulation is one of the most prevalent methods used to determine whether the design is in accordance with the specifications by simulating the behavior of the RTL model. The simulation process uses RTL source code and a “Test Bench” to verify a design. The Test Bench contains a subset of all possible inputs to the circuit/logic. For an ‘n’ input circuit, there are 2″ possible inputs at any given time. For large n, e.g., for a complex design, the number of possible input sequences becomes prohibitively large. To simplify this, only a subset of all possible input sequences is described in any given Test Bench. An example of such a tool is NC-Verilog from Cadence Design Systems, Inc. of Santa Clara, Calif. To simulate the RTL model, a Test Bench must be created to provide appropriate input stimulus to the RTL model. Creating the Test Bench is a time consuming process. The process of simulating the Test Bench is also time consuming. Furthermore, it is effectively impossible to create enough test cases to completely verify that the specified properties of the design are true. This is because of the sheer number of possible input sequences, and also because it requires in-depth knowledge and tremendous creativity on the part of the Test Bench creator to imagine the worst-case scenarios.
An increasingly popular alternative is to use formal methods to completely verify properties of a design. Formal methods use mathematical techniques to prove that a design property is either always true, or to provide an example scenario (referred to as a counterexample) demonstrating that the property is false. One category of tools using formal methods to verify properties are known as Model Checkers. An example of a conventional model checking tool is the Formal-Check tool from Cadence Design Systems, Inc. of Santa Clara, Calif.
When the conventional method is applied to verify the property of a circuit model, there are three possible outcomes: (1) The system determines that the property is true for all input sequences that satisfy the set of environmental constraints. (2) The system is unable to make a determination due to lack of computing resource (time or memory). (3) The system determines that the property is false. In the latter case, the conventional system produces a counterexample that satisfies the set of environmental constraints, but for which the property fails to be true.
Several issues inhibit the widespread use of model checking. One issue is performance. Resources used to perform verification are typically exponentially related to the number of registers in the circuit model. This is referred to as the “state space explosion” problem. Many conventional Model Checkers analyze the entire design before proving a particular property. The complexity and size of modern integrated circuits, combined with the state space explosion problem, make it impossible to use such Model Checkers on large designs.
Instead of analyzing the entire design, other conventional Model Checkers analyze the portion of the design relevant to a particular property from a structural point of view. This includes all portions of the design between the signals relevant to the property and the primary inputs. An example of a conventional system that implements this property-dependent design analysis is the COSPAN model checking engine referred to in R. P. Kurshan, “Formal Verification in a Commercial Setting”, Design Automation Conference, pp. 258–262, June 1997, Anaheim, Calif. However, even the property-relevant portion of the design can be very large. Thus, in this case the state space explosion problem can result in severe performance problems.
Another issue is that no conventional system permits complete control over the region of the circuit model to be examined when verifying a particular property. The user typically resorts to manually modifying the design by removing and replacing parts of the design in order to determine if a property is true. An example of this design modification technique is described in S. G. Govindaraju et al., “Counterexample-Guided Choice of Projections in Approximate Symbolic Model Checking”, IEEE International Conference on Computer-Aided Design, pp. 115–119, November 2000. This modification of the design introduces the possibility of human error and requires additional steps.
Conventional formal verification techniques attempt to fully automate the formal verification process, and the primary flow usually does not involve getting inputs from the user. The primary interaction from the user is for the user to provide appropriate environmental constraints. However, a user that is used to running simulation may not know how to provide environmental constraints for a formal tool, and there may be a wide range of possible assumptions, some lead to an efficient formal analysis, some lead to incomplete proof.
In addition, even if the user has a chance to provide detailed guidance to the formal verification process, a user that is not an expert in formal verification may not know enough about the formal verification algorithm to provide the right inputs to the tool. Furthermore, at each interactive step, there may be a wide range of possible actions; without generating guidance from the tool for the user, the user may specify actions that have adverse effect to the performance of the formal verification process.
Accordingly, what is needed is a system and a method that (1) verifies a circuit model in a short duration of time, (2) automatically verifies a circuit model while permitting complete control over the region of the circuit model to be examined and environmental conditions to be applied, and (3) provides the user with information to evaluate the cost and effect of modifying the region of the circuit model to be examined and/or adding the environmental constraints (assumptions) to be applied.
SUMMARYThe present invention is directed to a system and a method for verifying properties of a circuit model while providing information to help the user manually modify a design analysis region and/or environmental constraints. While conventional systems attempt to substantially automate the entire formal verification process, the present invention iteratively provides information to the user about the cost and effect of changes to the environmental constraints and the analysis region. This information enables the user to weigh the effectiveness and efficiency of one or more modifications to the design analysis area and/or to the environmental constraints (assumptions). The information provided to the user can help a user compare a variety of alternative modifications in order to select the modifications that are efficient and effective. In addition, the information can provide alternatives along with the cost and effect of each alternative to the user who otherwise did not identify these alternatives, thus the invention can help the user by identifying suggestions that the user may not have otherwise considered. The present invention then receives information from the user to modify the design analysis area and/or the environmental constraints and will analyze the design with these modified parameters.
In one embodiment, the present invention analyzes the design and if the design is verified, the invention enables the user to modify environmental constraints and/or analysis regions to increase the speed of the verification process. The present invention quickly provides the user with a list of possible modifications, e.g., environmental constraints and/or changes to the analysis region, along with information about the cost or complexity of these modifications. In addition the present invention can provide the user with an indication of the effect that implementing each of the modifications has on the verification process, e.g., does the modification generate a counterexample or does it reintroduce a previously identified counterexample.
When one or more counterexamples are generated during the design analysis, the present invention can quickly provide the user with a list of possible modifications, e.g., environmental constraints and/or changes to the analysis region, along with information about the cost or complexity of implementing these modifications. In addition the present invention can iteratively provide the user with an indication of the effect that implementing each of the modifications has on the verification process, e.g., does it eliminate a counterexample or reintroduce a previously removed counterexample. By providing this information to the user both at the start and iteratively during the verification process, the present invention is able to receive information from the user that may significantly improve the performance of the system by guiding the user to provide a better design analysis configuration. For example, the user may modify environmental constraints that eliminate some counterexamples or increase the efficiency of the analysis. Similarly, the user may modify the analysis region by expanding or contracting the region in order to eliminate counterexamples and/or to increase the efficiency of the analysis.
The preferred embodiments of the invention will hereinafter be described in conjunction with the appended drawings provided to illustrate and not to limit the invention, wherein like designations denote like elements, and in which:
A preferred embodiment of the present invention is now described with reference to the figures where like reference numbers indicate identical or functionally similar elements. Also in the figures, the left most digits of each reference number corresponds to the figure in which the reference number is first used.
Reference in the specification to “one embodiment” or to “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiments is included in at least one embodiment of the invention. The appearances of the phrase “in one embodiment” in various places in the specification are not necessarily all referring to the same embodiment.
Some portions of the detailed description that follows are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps (instructions) leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical, magnetic or optical signals capable of being stored, transferred, combined, compared and otherwise manipulated. It is convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. Furthermore, it is also convenient at times, to refer to certain arrangements of steps requiring physical manipulations of physical quantities as modules or code devices, without loss of generality.
It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the following discussion, it is appreciated that throughout the description, discussions utilizing terms such as “processing” or “computing” or “calculating” or “determining” or “displaying” or “determining” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system memories or registers or other such information storage, transmission or display devices.
Certain aspects of the present invention include process steps and instructions described herein in the form of an algorithm. It should be noted that the process steps and instructions of the present invention could be embodied in software, firmware or hardware, and when embodied in software, could be downloaded to reside on and be operated from different platforms used by a variety of operating systems.
The present invention also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the required purposes, or it may comprise a general-purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but is not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, application specific integrated circuits (ASICs), or any type of media suitable for storing electronic instructions, and each coupled to a computer system bus. Furthermore, the computers referred to in the specification may include a single processor or may be architectures employing multiple processor designs for increased computing capability.
The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general-purpose systems may also be used with programs in accordance with the teachings herein, or it may prove convenient to construct more specialized apparatus to perform the required method steps. The required structure for a variety of these systems will appear from the description below. In addition, the present invention is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any references below to specific languages are provided for disclosure of enablement and best mode of the present invention.
Finally, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.
The present invention provides a method and a system for verification of RTL-level circuit models using formal methods. For the purpose of clarity, the terms used for describing the present invention are defined below.
The term “formula” describes a boolean formula consisting of signals and operators in a circuit model. Examples of operators are AND, OR, NOT and other operators related to time. An example of an operator related to time is one that refers to the previous value of a signal. Such operators are well known in the art such as that described in K. McMillan, “Symbolic Model Checking”, PhD. thesis, Carnegie Mellon University, May 1992. The formula can have either a true (1), or a false (0) value.
The term “property” defines a desirable behavior of the circuit model in terms of a formula. The user wishes to check if a property is true or false in the context of a circuit model.
The term “environmental constraint” describes a constraint on the primary inputs of a circuit model in terms of a formula. The term “environmental constraint” is also referred to as “assumption”. A property is verified in the context of a set of environmental constraints, all the environmental constraints being true in the circuit model. The set of environmental constraints may be a null set (i.e. no environmental constraints) or may comprise one or more environmental constraints. Referring again to
The term “boundary net” describes either a primary input or a signal that is used to remove a portion of the design from the formal analysis. During formal analysis, instead of having values as determined by the logic in the design, these boundary nets can take any value unless constrained by an assumption. As a result, the tool is analyzing more behavior than is possible in the actual design, and any property that is verified as “always true” using the set of boundary nets is also “always true” in the original design. For example in
The term “analysis region” comprises the following signals: (1) all signals referred to by a property (and the assumptions), (2) all signals in the corresponding set of boundary nets, and (3) all signals that lie on a signal path between a signal referred to by a property (and assumptions) and a signal in the set of boundary nets. A set of boundary nets is called complete if the signals in the analysis region are not connected to signals outside of the region except through a boundary net. An analysis region corresponds to a particular complete set of boundary nets, and similarly, a complete set of boundary nets defines a corresponding analysis region. Hence, the two terms are herein used interchangeably in the description.
The term ‘counterexample’ describes a scenario illustrating how the property may have a false value. Traditionally, a counterexample is a sequence of value assignments to the primary inputs of the design. With U.S. application Ser. No. 10/389,316, referenced above, and other similar approaches using the concept of analysis region, it can be a sequence of value assignments to the boundary nets. The scenario must satisfy the set of environmental constraints.
The term “false negative” describes a scenario when a property is determined to be false and yet the user considers the scenario to be irrelevant. It may be because it requires an illegal value sequence at the primary inputs, in which case the user needs to add a new environment constraint for the formal analysis. On the other hand, it may be because, while the property is false only in the context of the current set of boundary nets, but not in the context of the full design. In this case, the user needs to modify the boundary nets for the formal analysis.
An example of a false negative is shown in
The term “boolean decision diagram” (BDD) refers to a graph-based data structure used for manipulating boolean functions. A description of the techniques used to create and manipulate BDDs may be found in R. E. Bryant, “Graph-Based Algorithms for boolean Function Manipulation”, IEEE Transactions on Computers, Vol. C-35, No. 8, August 1986, pp. 677–691.
The term “design hierarchy” describes a collection of sub-designs and the manner in which they are interconnected. The design hierarchy has exactly one top-level design. The top-level design is further subdivided into sub-designs. A sub-design can be encapsulated into a single unit and repeatedly instantiated inside other designs.
The term “bus” describes a collection of single bit signals that are referred to collectively by a single name. For example, single bit signals X[0], X[1] and X[2] comprise a 3-bit bus named X.
A circuit model is typically described in a hardware description language (HDL), and then synthesized into an internal data structure in a tool.
The flowchart in
The method reads an HDL description of the circuit model in step 702, properties to be verified in step 704 and the set of environmental constraints in step 706. A synthesized netlist of the circuit model is then generated in step 708. A netlist is a list of components such as gates, flip-flops etc. A netlist describes the properties of the components and the connections between them. A check is made in step 710 to confirm whether all the properties have been verified. If all the properties have not been verified, the next property is verified in context of a set of environmental constraints in step 712. After verification, the result is provided to the user in step 714. After verification of all the properties, the method terminates.
The abovementioned conventional method only permits the set of boundary nets to be the primary inputs of the circuit model. Step 712 uses a method well known in the state-of-the-art to check if a property is true or false. For purposes of clarity, and to highlight the improvements made by the current invention, this method (hereon referred as Method A) is described using a flowchart in
The first step of Method A involves building a BDD in step 802 for each register in the specified circuit model. The BDD represents the next-state function of a register. These BDDs are functions of the primary inputs of the circuit model as well as the state variables of the circuit model. Here, each state variable represents the output of a register. Next step 804 involves building a BDD for the combinational condition that represents a violation of the specified property for the circuit model. Step 804 is followed by step 806 that involves building a BDD for the initial state set. The initial state set is defined as the set of states that the circuit model can attain after the circuit model has been initialized or reset. Further, a current reachable set is defined in step 808. The current reachable set is defined as the set of states that the circuit model can attain at the time of observation. The current reachable set is initialized to the initial state set. This is followed by a check in step 810 to verify whether the current reachable set intersects the BDD built in step 804. If the check results in a true condition then it implies that the specified property is not verified for the specified circuit model. Hence, a counterexample is generated according to step 812 and it is reported that the property is false in step 814. The method then terminates. If the check in step 810 results in a false condition, the reachable set is expanded in step 816 using the BDD for next-state functions built in step 802 to include more states that can be reached in the next clock cycle. A check in step 818 is then performed to verify if the expanded reachable set equals the current reachable set. If the check results in true condition then the method moves to step 822. In step 822, the result is reported and the method terminates. If the false condition is generated in step 818, then in step 820 the current reachable set is set to the newly computed reachable set of step 816. The control is then returned back to step 810. The process is thereafter repeated for the updated current reachable set.
The preferred embodiment of the current invention describes a method that improves upon the conventional methods in many ways. The flow chart shown in
A flow chart that depicts a more complete embodiment of the current invention is set forth in
The present invention analyzes 954 the design and determines whether the requirement is always true or not. If the requirement is not always true, counterexamples are generated, as described above. If one or more counter-examples are generated by the analysis 954, the counterexamples are presented to the user. The user determines 958 if the counterexample represents a design error or a false negative. If the user determines that the counterexample represents a design error, then the analysis conclusion and the counterexamples are provided 960 to the user and the verification process ends.
If the user determines 958 that the counterexamples do not correspond to a design error, then the present invention helps the user eliminate the counterexamples by identifying 962 the cost and effect of assumptions and/or modifications to the analysis region. A more detailed description of this process is illustrated in
(CE1) A = = 1 && B = = X
(CE2) B = = 1 && A = = X
The present invention then analyzes 1104 the primary inputs. In this example signal B is the only primary input (into the analysis region 1302) that is relevant to the two counterexamples. A more detailed description of the step of analyzing 1104 the analysis region is set forth in
The present invention then estimates 1210 the cost/savings of adding assumptions. The cost/savings can correspond to a variety of factors that affect the performance of the verification. For example, (1) the size of the corresponding BDD used to capture the assumption gives a quantitative indication of the speed of any operation that involves such an assumption. The larger the BDD, the slower the analysis will become; (2) the assumption may also simplify the analysis by causing other assumptions or logic in the design to become irrelevant to the analysis. For example, if an assumption “B==1” is introduced, because of the OR-gate between signal B and D, the signal D will have the value 1 regardless of the value in the signal H and the activities in CL2. The size of the corresponding BDD used to capture CL2 gives a quantitative indication of the resulting speed up; (3) instead of using a Boolean expression on existing signals in the design as an assumption, an assumption may assume the input to have the same value as a signal being driving by an arbitrary complex logic. In this case, it may capture temporal behavior. The cost or saving of including this assumption depends on the characteristics of the logic: (a) the size of the corresponding BDD used to capture the logic gives a quantitative indication of the speed of any operation involving this assumption, (b) a counter-like behavior in this logic leads to more iterations (steps 810, 816, 818, 820) in the analysis, and therefore, the range of possible values in this counter gives a quantitative indication of the number of iterations required to complete the analysis, (c) a datapath-like behavior in this logic leads to more states to be maintained as reachable set during the analysis in
There are also other possibilities regarding the cost/saving of adding an assumption, as we take into account for generic and application-specific design characteristics, such as the use of FIFO, memory, decoder, pipeline logic, etc. By providing feedback on the cost or savings of making this assumption, the user may make educated decision about whether to make the current assumptions, or spend more time in devising a better assumption, or even incorporate appropriate abstraction into the assumption. The present invention may also suggest appropriate abstraction for specific characteristics of the logic.
In this example, the savings of adding the assumption B = = 0 is not significant since the assumption will not eliminate the need to analyze any significant block of logic. That is, since signal B and signal H are inputs to an OR gate, even if signal B is zero, the output of the OR gate (signal D) will still depend upon the output (signal H) of the complex logic block CL2. Therefore, even with this assumption complex logic block CL2 needs to be analyzed. However, the BDD corresponding to “B==0” is also small. Therefore, overall, adding the assumption will not introduce high overhead either, and it will probably reduce the states being stored in the reachable set As a result, the tool will conclude that it won't have adverse effect on the performance, and it is probably advantageous to add it in order to eliminate the counterexample CE2. The process then continues with the flow returning to
The present invention continues by determining 1106 whether any logic driving the boundary nets of the analysis region 1302 would invalidate any of the counterexample. For example, in an embodiment of the invention, the answer may be estimated through a 3-value simulation of the full design using values from the counterexample for the primary inputs. If the answer is yes, the present invention estimates 1108 how much logic is necessary to invalidate any counterexample. The present invention estimates 1108 the amount of logic using an intelligent traversal of the netlist representing the design. This traversal can be performed using a conventional depth first search (DFS) algorithm. During the traversal, the search explores the part that is inconsistent when the values from the counterexample and from the simulation are different. In the example of
In this example the cost of adding additional logic includes the cost of adding two AND gates 1304 and 1306. However, the cost of complex logic blocks CL4 and CL5 are not included since the output of these complex logic blocks has no effect on the output. As a result, the corresponding BDD represents a three-input AND-gate. Furthermore, if we combine this BDD with the BDD corresponding to the assumption “F==0”, we can simplify the analysis into a BDD that says A==0, which is even simpler than the three-input AND-gate. Furthermore, since the invention has identified that the assumption F = = 0 infers A = = 0, then the value of signal G has no effect on the output (since if A = = 0 then C = = 0). Accordingly, the present invention includes in the cost estimation the cost saved by eliminating the logic (CL1) driving signal G. The cost savings can be estimated based upon the size of the BDD representing the CL1 logic, and also whether the CL1 logic is a counter or not, etc.
After estimating the cost and effect of each assumption and additional logic to the analysis region, the invention presents 1114 the cost and effect to the user using a graphical user interface or other technique to provide the user with the information, e.g., sending the information to a file. The present invention provides the assumptions, effect and cost generated in step 1104 or 1102 (discussed below) along with the cost and effect of adding logic as determined in steps 1108 and 1110. The invention may also prioritize the assumptions by their effects and costs, and extract analysis such as “adding assumption A will lead to a faster analysis than adding assumption B” or “adding both assumptions A and B will remove all existing counterexamples, but will slow down the analysis a lot”. It may also suggest possible abstraction in order to incorporate a certain assumption with reduced cost.
In this example, the present invention outputs the assumption B = = 0, the effect of the assumption, i.e., an indication that this assumption will eliminate counterexample CE2, and the cost of adding this assumption which in this example is not significant—and can be elaborated as the size of additional BDDs, e.g., 10. The present invention then receives 1116 a selection of the assumptions and/or additional logic from the user. The user may select one or more of the possibilities generated by the present invention or may provide other assumptions or logic that have not been suggested by the present invention. The subset may be a subset of zero or a subset that is equal to the superset, i.e., the user can select all or none of the possibilities generated by the present invention.
If the verification is of a complete design 1101, e.g., if the analysis region is the entire design to be verified, then the present invention analyzed 1102 primary inputs. The details for analyzing 1102 the primary inputs is described above with reference to step 1 104 and
In the present example, the user elects to utilize the additional logic driving the signal A (including AND gates 1304 and 1306) and the assumption B = = 0. Thus the analysis region 1402 changes as illustrated in
After identifying 962 potential assumptions and potential analysis regions to attempt removal of counterexamples, the present invention receives 964 an indication from the user as to whether the verification process was too slow. It is not uncommon for verification process to take several hours for complex designs. If the process is too slow, the present invention provides options and information to the user regarding how to decrease the verification time by tuning 966 the analysis. Details about analysis tuning 966 are described in detail in
B = = 0
F = = 0.
In this example signals within the analysis region include signals C, D, H, A, E, etc. In step 1002, either the tool selects a subset of these signals to be analyzed, or the user manually identify them. Let's say the signal H is selected. The analysis region 1402 is being analyzed and the set of stored counterexamples are CE1 (A = = 1 && B = = X) and CE2 (B = = 1 && A = = X). As described above, the goal is to prove that the output is zero at all times. In this example, there are no outstanding counterexamples since the user accepted the assumption and additional logic to eliminate the counterexamples in step 962. However, in other examples, counterexamples may exist but their existence does not change the tuning analysis 966 process according to one embodiment of the present invention. Since the process steps can be accomplished differently, e.g., steps 964 and 966 can occur prior to 962, in an alternate embodiment, the analysis tuning step can account for whether making another assumption or adding/removing logic will eliminate an existing counterexample.
The present invention estimates 1006 whether removing an assumption or logic driving a signal will cause a previously invalidated counterexample to once again become a valid counterexample. The present invention iteratively analyzes each assumption and logic that drives a signal to determine whether such a known counterexample becomes valid. In this example, the present invention analyzes the situation where the assumption B = = 0 is eliminated and determines that eliminating this assumption has no effect on the first counterexample CE1 but will cause the second counterexample CE2 to become valid once again. Similarly, the present invention analyzes the situation where the assumption F = = 0 is eliminated and determines that eliminating this assumption has no effect on the counterexample CE2 but will cause the counterexample CE1 to become valid once again. The invention then analyzes whether removing the logic driving signal H will cause a previous counterexample to become valid. In this example, removing the logic driving signal H (CL2) will not cause either CE1 or CE2 to reappear.
The present invention then estimates 1008 the cost savings of removing each assumption and each collection of logic driving a signal. Removing the assumption B = = 0 will not result in any significant cost increase because no logic has been eliminated because of this assumption. In contrast removing the assumption F = = 0 will result in a significant cost increase because the cost of analyzing complex logic blocks CL1, CL4 and CL5 (or alternatively only CL1, since CL4 and CL5 can be eliminated be modifying the analysis regions) is significant in this example and may have a complexity on the order of several thousand because of the sizes of the BDDs for three pieces of logic. Because of the complication introduced by the logic blocks originally rendered irrelevant by the assumption, the current embodiment of the invention presents several alternatives regarding the assumption “F==0”. For example, putting back CL1, CL4, and CL5 so that the cost would be high, and keeping out CL1, CL4, and CL5 so that the cost would be low but the chances of causing a new counterexample to appear is high. Removing the complex logic driving signal H (CL2) will also result in a cost savings based upon, for example, the size of the BDD representing the CL2 logic. The cost information and the effect on previous (or existing) counterexample information is presented 1010 to the user and the user may select 1012 none or one or more of the assumptions and/or logic driving signals. In addition, the present invention permits the user to enter assumptions or modify the logic to be analyzed that the present invention does not present. In this example, the user elects to eliminate the logic (CL2) that drives signal H.
Note that while the removal of the logic CL2 will not cause the previously invalidated counterexamples to reappear, it will lead to a new counterexample that represents a false negative, as removing CL2 enables H to take value 0 or 1 at any time.
The procedure continues by analyzing 954 the design with the modifications selected by the user. In this iteration of the design analysis, one counterexample (CE3) is identified.
H = = 1 && B = = X && F = = X
That is, the output is equal to 1 when signal H is equal to 1. The present invention identifies 956 that a counterexample exists and the user indicates 958 that the counterexample is not the result of a design error. Then the present invention attempts to remove the counterexample in step 962. As described above, step 962 is described in greater detail in
The present invention then analyzes 1104 the primary inputs (signals B and F) as described above with reference to
In this situation the user does not indicate 964 that the analysis is too slow and the design is analyzed 954 once again. No counterexamples are generated 956 by the design analysis 954. The user is then provided an opportunity to indicate 970 whether the analysis was too slow. If the analysis was not too slow the process ends. If the analysis was too slow the present invention tunes 972 the analysis. The process for tuning 972 the analysis is the same as the process described above with reference to step 966. The analysis tuning 972 process is described in greater detail with reference to
The above examples only have combinational logic so the cost can be determined easily using, as one factor, the size of the BDD representing the logic. However, when sequential logic is in the design different factors are used to determine the cost/complexity.
For this example, the design is defined as:
-
- // the design
- input F;
- input B;
- wire output = C ∥ D;
- wire C = (A= =32′hFFFF) && CL1
- wire D = B ∥ CL2
- reg [31:0] A;
- always @((posedge clk)
- if (rst) A <=0;
- else A <= A + 32′b1;
The user tries to prove that output = = 0 at all times. After this design is analyzed 904 using an analysis region that does not include the counter, a counterexample CE4 is identified at the first cycle after reset.
A = =32′hFFFF && B = = X
If the user does not think CE4 represents a design error 908 then the present invention identifies 912 assumptions and the analysis region to attempt to remove counterexamples. With reference to
The system also operates with other design elements, e.g., multiplexors.
// the design
-
- input [1:0] select;
- wire output = (A==32′hFFFF);
- reg [31:0] A;
- always @(posedge clk)
- case (select) begin
- 2′b00:
- A <= B1;
- 2′b01:
- A <= B2;
- 2′b10:
- A <= B3;
- 2′b11:
- A <= B4;
- end
- wire [31:0] B1= complex_logic_BB1;
- wire [31:0] B2= complex_logic_BB2;
- wire [31:0] B3= complex_logic_BB3;
- wire [31:0] B4= complex_logic_BB4;
In this example, the entire design is being analyzed. After receiving 952 the above design requirements the present invention analyzes 954 the design and, for this example, identifies two counterexamples (CE5 and CE6)
CE5: B1 = = 32′hFFFF && Select = = 2′b00
CE6: B 2= = 32′hFFFF && Select = =2′b01
The primary inputs deemed relevant by the present invention are “Select” and inputs driving complex logic B1 and complex logic B2.
After analyzing 954 the design, the present invention identifies 956 the two counterexamples and the user indicates 958 that the counterexamples are not caused by a design error. The present invention identifies 962 the assumptions and analysis region to attempt to remove the counterexamples. As described above, step 962 is described in more detail with reference to
˜(select = = 2′b00)
The present invention analyzes the assumption and determines 1206 whether the assumption eliminates any of the counterexamples. In this example, the assumption does not eliminate CE6 but does eliminate CE5 since this counterexample requires that the value of the select signal be 2′b00. The present invention continues by generating 1208 assumptions on the primary inputs that will invalidate counterexamples. In one embodiment of the present invention, the invention reviews CE5 and determines that the assumption the user provided is the only assumption that will invalidate CE5. The invention then analyzes CE6 and determines that the assumption “˜(select = = 2′b01)” will invalidate CE6.
The invention then estimates 1210 the cost of adding these assumptions. For the assumption “˜(select = = 2′b00)” the cost of verification will decrease because the logic corresponding to B1 can be excluded from the analysis. The cost savings can be identified as the BDD size the logic in B1. Similarly, for the assumption “˜(select = = 2′b01)” the cost of verification will decrease because the logic corresponding to B2 can be excluded from the analysis. The cost savings can be identified as the BDD size the logic in B2. The process then continues and the invention presents 1114 the cost and effect of each assumption to the user who can elect assumptions to use. The present invention receives 1116 the assumptions and the process continues.
While particular embodiments and applications of the present invention have been illustrated and described herein, it is to be understood that the invention is not limited to the precise construction and components disclosed herein and that various modifications, changes, and variations may be made in the arrangement, operation, and details of the methods and apparatuses of the present invention without departing from the spirit and scope of the invention as it is defined in the appended claims.
Claims
1. A computer based method for verifying properties of a circuit model of a digital circuit design comprising the steps of:
- receiving one or more verification requirements for the circuit model;
- receiving one or more counterexamples, including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model;
- identifying a first environmental constraint for one or more primary inputs that invalidates said first counterexample; and
- automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said first environmental constraint having the steps of: identifying a first portion of logic in the circuit model that is not necessary to analyze due to the first environmental constraint; and determining a first cost value representing an estimate of computational savings resulting from not analyzing said first portion of logic.
2. The method of claim 1, further comprising the step of presenting said first cost-of-analysis value to a user.
3. The method of claim 1, wherein the circuit model is a register transfer level (RTL) design model.
4. The method of claim 1, wherein said step of determining a first cost value comprises the step of:
- identifying a size of a binary decision diagram (BDD) corresponding to said first portion of logic to estimate said first cost-of-analysis value.
5. The method of claim 1, wherein said step of automatically determining a first cost-of-analysis value further comprises the steps of:
- identifying a second portion of logic that constrains one or more primary inputs according to said first environmental constraint; and
- determining a second cost value representing an estimate of computational cost resulting from analyzing said second portion of logic wherein said first cost-of-analysis value is equal to a combination of said first and second cost values.
6. The method of claim 1, wherein said step of receiving one or more counterexamples comprises the steps of:
- analyzing the circuit design to identify said first counterexample that does not satisfy one or more of said verification requirements for the circuit model.
7. The method of claim 1, wherein said one or more counterexamples includes a second counterexample, further comprising the steps of:
- identifying a second environmental constraint that invalidates said second counterexample; and
- automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design without performing a complete design analysis and using said second environmental constraint.
8. The method of claim 7, further comprising the step of:
- presenting said first and second cost-of-analysis values to the user.
9. The method of claim 8, further comprising the steps of:
- receiving a first user-selected subset of said first and second environmental constraints in response to said first and second cost-of-analysis values; and
- analyzing the circuit design with said first user-selected subset of environmental constraints.
10. The method of claim 1, further comprising the steps of:
- identifying a second environmental constraint for a primary input that invalidates said first counterexample; and
- automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said second environmental constraint.
11. The method of claim 10, further comprising the step of:
- presenting said first and second cost-of-analysis values to a user.
12. The method of claim 10, further comprising the step of:
- comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
13. A computer based method for verifying properties of a circuit model of a digital circuit design comprising the steps of:
- receiving one or more verification requirements for the circuit model;
- receiving one or more counterexamples, including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model;
- identifying a first environmental constraint for one or more primary inputs that invalidates said first counterexample; and
- automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said first environmental constraint having the steps of: identifying a first portion of logic that constrains one or more primary inputs according to said first environmental constraint; and determining a first cost value for said first portion of logic representing an estimate of a computational cost resulting from analyzing said first portion of logic.
14. The method of claim 13, further comprising the step of presenting said first cost-of-analysis value to a user.
15. The method of claim 13, wherein said step of determining a first cost value comprises the step of:
- identifying a size of a binary decision diagram (BDD) corresponding to said first portion of logic to estimate said first cost-of-analysis value.
16. The method of claim 13, wherein said one or more counterexamples includes a second counterexample, further comprising the steps of:
- identifying a second environmental constraint that invalidates said second counterexample; and
- automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design without performing a complete design analysis and using said second environmental constraint.
17. The method of claim 13, further comprising the steps of:
- identifying a second environmental constraint for a primary input that invalidates said first counterexample and
- automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said second environmental constraint.
18. A computer based method for verifying properties of a circuit model of a digital circuit design comprising the steps of:
- receiving one or more verification requirements for the circuit model; and
- determining a first cost-of-analysis value for tuning the analysis of the design, representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, having the steps of receiving a first signal in the circuit model; identifying a first portion of logic in the circuit model that drives the said first signal; and determining a first cost value representing an estimate of computational savings resulting from not analyzing said first portion of logic.
19. The method of claim 18, wherein said step of determining a first cost-of-analysis value further comprises the steps of:
- receiving a second portion of logic in the circuit model to drive said first signal; and
- determining a second cost value representing an estimate of a computational cost resulting from analyzing said second portion of logic wherein said first cost-of-analysis value is equal to a combination of said first and second cost values.
20. The method of claim 18, further comprising the step of presenting said first cost-of-analysis value to a user.
21. The method of claim 18, wherein the circuit model is a register transfer level (RTL) design model.
22. The method of claim 18, wherein said step of determining a first cost value comprises the step of:
- identifying a size of a binary decision diagram (BDD) corresponding to said first portion of logic to estimate said first cost-of-analysis value.
23. A computer based method for verifying properties of a circuit model of a digital circuit design comprising the steps of:
- receiving one or more verification requirements for the circuit model;
- receiving one or more counterexamples including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model, said counterexample from an analysis using an analysis region having boundary net signals;
- receiving a first portion of logic in the circuit model that was not previously analyzed, and drives one or more of said boundary net signals;
- automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, having the steps of: determining a first cost value representing an estimate of a cost of an analysis of said first portion of logic.
24. The method of claim 23, further comprising the step of presenting said first cost-of-analysis value to a user.
25. The method of claim 23, further comprising the steps of:
- receiving a second portion of logic in the circuit model that was not previously analyzed, and drives one or more of said boundary net signals that invalidates said first counterexample; and
- automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis of the second portion of logic.
26. The method of claim 23, further comprising the step of:
- presenting said first and second cost-of-analysis values to a user.
27. The method of claim 26, further comprising the step of:
- comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
28. A computer based method for verifying properties of a circuit model of a digital circuit design comprising the steps of:
- receiving one or more verification requirements for the circuit model;
- identifying a first environmental constraint for one or more primary inputs; and
- automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said first environmental constraint having the steps of: identifying a first portion of logic in the circuit model that is not necessary to analyze due to the first environmental constraint; and determining a first cost value representing an estimate of computational savings resulting from not analyzing said first portion of logic.
29. The method of claim 28, further comprising the step of presenting said first cost-of-analysis value to a user.
30. The method of claim 28, further comprising the steps of:
- identifying a second environmental constraint for a primary input that invalidates a first counterexample; and
- automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said second environmental constraint.
31. The method of claim 28, further comprising the step of:
- presenting said first and second cost-of-analysis values to a user.
32. The method of claim 31, further comprising the step of:
- comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
33. A computer based method for verifying properties of a circuit model of a digital circuit design comprising the steps of:
- receiving one or more verification requirements for the circuit model;
- receiving a verification result from a formal analysis of a first portion of the design;
- receiving a second portion of the design that is a subset of said first portion of the design; and
- automatically determining a first cost-of-analysis value representing an estimate of a computational savings resulting from not analyzing said second portion of the design, without performing a complete circuit model analysis of said first portion of the design without said second portion of the design.
34. The method of claim 33, further comprising the step of presenting said first cost-of-analysis value to a user.
35. The method of claim 33, further comprising the steps of:
- receiving a third portion of the design that is a subset of the first portion; and
- automatically determining a second cost-of-analysis value representing an estimate of the computational savings resulting from not analyzing said third portion of the design, without performing a complete circuit model analysis of said first portion of the design without said third portion of the design.
36. The method of claim 35, further comprising the step of:
- presenting said first and second cost-of-analysis values to a user.
37. The method of claim 36, further comprising the step of:
- comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
38. A computer based system for verifying properties of a circuit model of a digital circuit design comprising:
- verification requirements receiving means for receiving one or more verification requirements for the circuit model;
- counterexample receiving means for receiving one or more counterexamples, including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model;
- first environmental constraint identification means for identifying a first environmental constraint for one or more primary inputs that invalidates said first counterexample; and
- first cost of analysis means for automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said first environmental constraint, wherein said the first cost of analysis means comprises: first logic identification means for identifying a first portion of logic in the circuit model that is not necessary to analyze due to the first environmental constraint; and first cost value means for determining a first cost value representing an estimate of computational savings resulting from not analyzing said first portion of logic.
39. The system of claim 38, further comprising:
- presentation means for presenting said first cost-of-analysis value to a user.
40. The system of claim 38, wherein the circuit model is a register transfer level (RTL) design model.
41. The system of claim 38, wherein said first cost value means comprises:
- BDD means for identifying a size of a binary decision diagram (BDD) corresponding to said first portion of logic to estimate said first cost-of-analysis value.
42. The system of claim 38, wherein said counterexample receiving means comprises:
- analysis means for analyzing the circuit design to identify said first counterexample that does not satisfy one or more of said verification requirements for the circuit model.
43. The system of claim 38, further comprising:
- second environmental constraint identification means for identifying a second environmental constraint for a primary input that invalidates said first counterexample; and
- second cost of analysis means for automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said second environmental constraint.
44. The system of claim 43, further comprising:
- presentation means for presenting said first and second cost-of-analysis values to a user.
45. The system of claim 43, further comprising:
- cost-of-analysis comparison means for comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
46. A computer based system for verifying properties of a circuit model of a digital circuit design comprising:
- verification requirements receiving means for receiving one or more verification requirements for the circuit model; and
- tuning means for determining a first cost-of-analysis value for tuning the analysis of the design, representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, having the steps of receiving means for receiving a first signal in the circuit model first logic identification means for identifying a first portion of logic in the circuit model that drives the said first signal; and first cost value determining means for determining a first cost value representing an estimate of computational savings resulting from not analyzing said first portion of logic.
47. The system of claim 46, wherein said tuning means further comprises:
- second logic identification means for receiving a second portion of logic in the circuit model to drive the first signal; and
- second cost value determining means for determining a second cost value representing an estimate of a computational cost resulting from analyzing said second portion of logic wherein said first cost-of-analysis value is equal to a combination of said first and second cost values.
48. The system of claim 46, further comprising:
- presentation means for presenting said first cost-of-analysis value to a user.
49. The system of claim 46, wherein the circuit model is a register transfer level (RTL) design model.
50. The system of claim 46, wherein said first cost value means includes:
- BDD means for identifying a size of a binary decision diagram (BDD) corresponding to said first portion of logic to estimate said first cost-of-analysis value.
51. A computer based system for verifying properties of a circuit model of a digital circuit design comprising:
- verification requirements receiving means for receiving one or more verification requirements for the circuit model;
- counterexample receiving means for receiving one or more counterexamples including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model, said counterexample from an analysis using an analysis region having boundary net signals;
- first portion of logic receiving means for receiving a first portion of logic in the circuit model that was not previously analyzed, and drives one or more of said boundary net signals;
- first cost-of-analysis means for automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, wherein said first cost of analysis means comprises: first cost value means for determining a first cost value representing an estimate of a cost of an analysis of said first portion of logic.
52. The system of claim 51, further comprising:
- second portion of logic receiving means for receiving a second portion of logic in the circuit model that was not previously analyzed, and drives one or more of said boundary net signals that invalidates said first counterexample; and
- second cost of analysis means for automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said second environmental constraint.
53. The system of claim 52, further comprising:
- presentation means for presenting said first and second cost-of-analysis values to a user.
54. The system of claim 52, further comprising:
- cost-of-analysis comparison means for comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
55. A computer based system for verifying properties of a circuit model of a digital circuit design comprising:
- verification requirements receiving means for receiving one or more verification requirements for the circuit model;
- counterexample receiving means for receiving one or more counterexamples, including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model;
- first environmental constraint identification means for identifying a first environmental constraint for one or more primary input signals; and
- first cost of analysis means for automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said first environmental constraint wherein said first cost of analysis means comprises: first logic identification means for identifying a first portion of logic in the circuit model that is not necessary to analyze due to the first environmental constraint; and first cost value means for determining a first cost value representing an estimate of computational savings resulting from not analyzing said first portion logic.
56. The system of claim 55, further comprising:
- second environmental constraint identification means for identifying a second environmental constraint for one or more primary inputs; and
- second cost of analysis means for automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said second environmental constraint.
57. The system of claim 56, further comprising:
- presentation means for presenting said first and second cost-of-analysis values to a user.
58. The system of claim 56, further comprising:
- cost-of-analysis comparison means for comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
59. A computer based system for verifying properties of a circuit model of a digital circuit design comprising:
- verification requirements receiving means for receiving one or more verification requirements for the circuit model;
- counterexample receiving means for receiving one or more counterexamples, including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model;
- first environmental constraint identification means for identifying a first environmental constraint for one or more boundary net signals; and
- first cost of analysis means for automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said first environmental constraint wherein said first cost of analysis means comprises: first logic identification means for identifying a first portion of logic in the circuit model that is not necessary to analyze due to the first environmental constraint; and first cost value means for determining a first cost value representing an estimate of computational savings resulting from not analyzing said first portion of logic.
60. The system of claim 59, further comprising:
- second environmental constraint identification means for identifying a second environmental constraint for one or more boundary net signals; and
- second cost of analysis means for automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said second environmental constraint.
61. The system of claim 60, further comprising:
- presentation means for presenting said first and second cost-of-analysis values to a user.
62. The system of claim 60, further comprising:
- cost-of-analysis comparison means for comparing said first and second cost-of-analysis values to identify the cost-of-analysis value having a lower cost.
63. A computer based system for verifying properties of a circuit model of a digital circuit design comprising:
- verification requirements receiving means for receiving one or more verification requirements for the circuit model;
- counterexample means for receiving one or more counterexamples, including a first counterexample, that does not satisfy one or more of said verification requirements for the circuit model;
- first environmental constraint means for identifying a first environmental constraint for one or more primary inputs that invalidates said first counterexample; and
- first cost-of-analysis means for automatically determining a first cost-of-analysis value representing an estimate of a cost of the analysis for the design, without performing a complete circuit model analysis, using said first environmental constraint including: first portion of logic means for identifying a first portion of logic that constrains one or more primary inputs according to said first environmental constraint; and first portion of logic cost means for determining a first cost value for said first portion of logic representing an estimate of a computational cost resulting from analyzing said first portion of logic.
64. The system of claim 63, further comprising presentation means for presenting said first cost-of-analysis value to a user.
65. The system of claim 63, wherein said first portion of logic cost means comprises BDD means for identifying a size of a binary decision diagram (BDD) corresponding to said first portion of logic to estimate said first cost-of-analysis value.
66. The system of claim 63, wherein said one or more counterexamples includes a second counterexample, said system further comprising:
- second environmental constraint means for identifying a second environmental constraint that invalidates said second counterexample; and
- second cost-of-analysis means for automatically determining a second cost-of-analysis value representing an estimate of a cost of the analysis for the design without performing a complete design analysis and using said second environmental constraint.
6102959 | August 15, 2000 | Hardin et al. |
6185516 | February 6, 2001 | Hardin et al. |
6594804 | July 15, 2003 | Hojati |
6609229 | August 19, 2003 | Ly et al. |
6651228 | November 18, 2003 | Narain et al. |
6725431 | April 20, 2004 | Yang |
6772402 | August 3, 2004 | Mortensen |
20040123254 | June 24, 2004 | Geist et al. |
- Beer, I. et al., “RuleBase: An Industry-Oriented Formal Verification Tool,” 33rd Design Automation Conference, DAC 1996.
Type: Grant
Filed: Dec 24, 2003
Date of Patent: Jan 2, 2007
Assignee: Jasper Design Automation (Mountain View, CA)
Inventors: Chung-Wah Norris Ip (Fremont, CA), Lawrence Loh (Milpitas, CA), Vigyan Singhal (Fremont, CA), Howard Wong-Toi (Albany, CA), Soe Myint (Santa Clara, CA)
Primary Examiner: Vuthe Siek
Attorney: Fenwick & West LLP
Application Number: 10/745,993
International Classification: G06F 17/50 (20060101);